Medical Records Security Faces Electronic Challenges

Health-care providers are taking steps to make sure systems are secure, but federal laws requiring a transition to digital medical records leave them potentially vulnerable to sophisticated hacking.

by Scott Powers, McClatchy News Service
/
April 29, 2014

As more and more medical records are stored and shared digitally, the risk of highly private, potentially embarrassing disclosures grows.

Hospitals and most other health-care providers are taking steps to make sure records are secure. Meanwhile federal law is requiring they keep medical records digitally, making them potentially vulnerable to the same type of sophisticated hacking that recently opened holes in online security systems ranging from Target to Tumblr.

Even before new federal laws began kicking in this year requiring a transition to digital medical records, vulnerabilities were showing up, with hundreds of medical-record security breaches reported to federal officials every year, including three recent cases in Orlando.

Since the federal government started keeping records on medical record data breaches in 2009, there have been two cases in Florida that each involved more than 1 million patients' records, and 11 more Florida cases involving more than 10,000 patients each. All but one of those were deemed thefts, not losses.

And it's happening locally.

•In 2011, two employees of the Orange County Health Department pulled some private, confidential patient information from computers about thousands of patients there. And in short time false income tax returns were filed seeking refunds in those patients' names. Both employees were convicted and sent to federal prison for identity theft.

•In 2012 two employees of Florida Hospital's Celebration Health hospital were bribed to extract private, confidential patient information from computers about thousands of patients in the hospital's three-county system. Those patients began getting solicitation from personal-injury lawyers and chiropractors who somehow knew they had been injured in car accidents.

•In January, an employee of Orlando Health misplaced a computer thumb drive with data on hundreds of patients of Arnold Palmer and Winnie Palmer hospitals. So far, there have been no reports of any misuse of the information. After investigating, hospital officials expressed confidence that the device was lost, not stolen, and that the information on it probably was too incomplete to be useful to thieves, anyway.

The thumb drive that disappeared at Florida Health apparently had information that lacked full patients' names or Social Security numbers, and that was no accident.

"If someone is nefarious, what are they going to try to do? Down south, It's been rampant in South Florida, identity theft. ... So what we do is restrict," said Steve Stallard, corporate director of Compliance and Information Security at Orlando Health."What's the big asset? Social Security numbers. We restrict access. We restrict putting it on reports."

Orlando Health also restricts who has access to certain types of information and regularly trains hospital employees on data security. There also are programs that monitor Internet-data flow in and out of the hospital campuses, and even activity on individual computers.

"I call it 'Big Brother in the sky,'" Stallard said.

Much of that is true for most health-care providers, though some already were burned. After the Orange County Health Department breach was uncovered — and two (now former) employees, who have since been sentenced to prison — changes were made.

"Since then there hasn't been any patient records with Social Security numbers in them," said spokesman Dain Weistser. "The Social Security records are masked now so you only see the last four digits, and access has been limited. This is statewide, through the [Florida] Department of Health. So it's been limited to certain employees who absolutely have to have access to that information."

Yet the risks may be increasing if hackers and others start looking away from retailers to less-obvious targets and uses, said Lee Kim, director of privacy and security for the Healthcare Information and Management Systems Society.

"The unique thing with patient information is … if one's medical identity were stolen [and] someone who is masquerading as myself is able to obtain the medical service or medical products, or even a prescription using my identity, then that's a risk to me as a person," Kim said.

An earlier version of this article included a quotation that incorrectly described a security breach at Broward Health.